As far as I know, AH only covers integrity and authentication. So, suppose that an intermediate router receives the packet with AH and not ESP. Then, can't the router open its content (<- and that's obvious) and even read authentication data of the packet and use it to fake its identity? (and make replay attacks possible?)

So, if this is true, isn't AH only effective with ESP?

Edit: What I am especially talking about is without fixing the content of a packet, the intermediate router can read the packet and then hand the packet to the original destination. If then, isn't authentication automatically broken?

2 Answers
2

AH uses a message authentication code; this is a cryptographic function, parametrized with a key. The MAC computes an "authentication token" for a given message (in the case of AH, an IP packet). Each MAC value is message specific and cannot be applied to another message. Therefore, observing the MAC value does not give any router the ability to make undetected alterations: the router does not have the key, and thus cannot compute a MAC value which will match his altered packets.

AH also includes a sequence number (which is covered by the MAC) so that a router may not replay old packets.

Thus, AH can ensure data integrity, even in the absence of encryption: integrity is making sure that what the receiver receives is indeed, down to the last bit, what the sender sent. When that sender is also reliably identified (in a way which cannot be faked by outsiders), then we have authenticity, which is high-powered integrity. AH provides that. What AH does not provide is confidentiality: preventing third parties from reading the data. You need ESP for that (in the IPsec context). AH may be useful in situations where integrity is important but not confidentiality, or where confidentiality through ESP would be too expensive (depending on the computational overhead of encryption, which can be high if the involved hardware is especially feeble).

The IP Authentication Header (AH) is used to provide connectionless
integrity and data origin authentication for IP datagrams (hereafter
referred to as just "authentication"), and to provide protection
against replays. This latter, optional service may be selected, by
the receiver, when a Security Association is established. (Although
the default calls for the sender to increment the Sequence Number
used for anti-replay, the service is effective only if the receiver
checks the Sequence Number.) AH provides authentication for as much
of the IP header as possible, as well as for upper level protocol
data. However, some IP header fields may change in transit and the
value of these fields, when the packet arrives at the receiver, may
not be predictable by the sender. The values of such fields cannot
be protected by AH. Thus the protection provided to the IP header by
AH is somewhat piecemeal.

AH may be applied alone, in combination with the IP Encapsulating
Security Payload (ESP) [KA97b], or in a nested fashion through the
use of tunnel mode (see "Security Architecture for the Internet
Protocol" [KA97a], hereafter referred to as the Security Architecture
document). Security services can be provided between a pair of
communicating hosts, between a pair of communicating security
gateways, or between a security gateway and a host. ESP may be used
to provide the same security services, and it also provides a
confidentiality (encryption) service. The primary difference between
the authentication provided by ESP and AH is the extent of the
coverage. Specifically, ESP does not protect any IP header fields